Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Reading articles like this one makes me wonder, is this a real world problem?
Say that someone (or something) wanted to crack my FTP login. The cracking software can deliver so and so many million guesses per second, but the server that is under attack can't possibly serve up that many "incorrect password" replies. In what kind of scenario do I need to worry about brute forcing?
If your database of password hashes is compromised, and they can try to crack it on their local machine
The point of these devices is to brute-force a password hash (from a leaked database).
No server is involved.
If they were trying to crack your FTP login, they wouldn't need lots of GPUs; they would simply need lots of network bandwidth.
The article says this, "Tools like Gosney’s GPU cluster aren’t suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said."
The article you linked already gives the answer to your question:
Tools like Gosney’s GPU cluster aren’t suited for an “online” attack scenario against a live system. Rather, they’re used in “offline” attacks against collections of leaked or stolen passwords that were stored in encrypted form, Thorsheim said. In that situation, attackers aren’t limited to a set number of password attempts – hardware and software limitations are all that matter.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
After finding someones ip you can easily send pings to them to make DOS attacks. Me and my friend tried to make a defense against them and wanted to know how a low level attacker can send this DOS attacks. When one of us sent pings to the other using cmd when we were connected to the same modem(wifi) it succeed in sending pings. But when we were on different networks it failed and sent a message like "Request timed out". I assume this is a failure message but I've some questions in this matter.
I won't write the command to make DOS attacks since I don't want to encourage anyone in making those and anyone who is knowledgeable in this subject already knows how to do that.
//Assume that attacker knows the ip of the victim.
Questions
Can a computer be successful enough to slow down the second computer if he sends infinite pings? If so in how much time(approximately.)(assume their computers are same.) What can be the worst result for the victim?
How can someone be successful in making DOS attacks to people who are connected into different networks from cmd? And how can I take measures against them?
This will not work over the internet if the victim's router is set not to send ICMP replies to ping requests.
Can a computer be successful enough to slow down the second computer
if he sends infinite pings? If so in how much
time(approximately.)(assume their computers are same.) What can be the
worst result for the victim?
Not significantly. What you need is an amplification attack - that is the victim's computer has to do more work than you for each request. Sending a reply to a ping is minimal work and involves sending the same amount of bytes back, so you are not slowing the victim machine anymore than your own.
How can someone be successful in making DOS attacks to people who are
connected into different networks from cmd? And how can I take
measures against them?
You would be better off using a software tool to do this, or by setting up a botnet to do a distributed denial of service instead (DDoS). Usage of such tools are probably illegal depending on your jurisdiction and you should get full permission if testing this from the owners of all networks and systems where your traffic would flow.
Mitigating DDoS is the million dollar question. Services such as CloudFlare can help. It all depends on what you need to protect and who from.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm a regular user of your website but I never asked a question. I hope, it's a good way. For some weeks, I have special DDoS attacks on a website. I don't know what kind of attack they are and how is it possible to launch them. The question is not how to block them, I know this, but what kind of attack it is and how is it possible. I think it's flood DDOS attack, but how this one?
For some weeks, 3 times, I had on my website thousands and thousands gets (+/- 10,000/min, during 30 minutes, to make down my server), such as :
index.php/q=99999, all queries are different and existing on the website;
all IP are the same per attack (only one IP per attack, and the 3 IP used for each of these attacks are in the same segment xxx.xxx.xxx... From a same host in another country, which doesn't have link or competition or anything with my site.
the user-agents are different (+/- 40 different agents per attack, never two times the same successively, but all of them same time.)
I don't think that the IP sources are really the attackers, because, it's little stupid to use all the same IP for such attack. But I think that the hackers want to make me think that the attacks are really coming from these IP.
But, if these IP sources are not real, how is it possible to launch such attack, with +/- 40 different agents, coming from the same IP in same time. Is-it easy to do that? does it need big systems? A single hacker could do that? Or such services are cheap and existing on the net?....
I can block such attacks but I try to understand the goal, the meaning of them and how they do that. To block only is not enough. I need to understand. If you cannot help, maybe advise me where I could find the information.
Thank you so much.
It does sound like an attack alright. It's not hard to pull off, nor set up. These kinds of attacks are usually done via computer farm or a zombie horde, and as such it's fairly easy to set up, and as a result to that, it's a service offered online.
People do this because they can or because of a personal and/or business vendetta.
I could write about this topic for hours, but none of it wouldn't have been said before. So allow me to forward you to some further reading on the topic.
For a quick and dirty overview:
Tom's hardware entry on the topic is also a nice, condensed, straight to the point write up, which I've found useful in the past.
A more detailed, yet broad overview of DDoS attacks and protection:
Wikipedia's article on Distributed Denial of Service attacks is extremely well written and updated. I suggest you start there.
If you're serious about defending yourself/ educating yourself: CISCO's article on how to defend yourself against DDoS. It's extremely detailed and long and useful. I've come back to it several times over the years for help on the topic -- both academically and professionally.
Good luck!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
A couple weeks ago, I noticed a question where a site owner was asking about how they could better manage user passwords for their site. They were storing the passwords using an excel sheet as a database.
I am not finding that question now, but there were several comments pointing out using Excel as a password database was not a good idea. The pure inappropriateness of this has not left my thoughts and I wonder, how many sites use low level password word protection.
If I were to test on that particular web site, by changing my password to '=2+2' and then trying to logon with '4' as my password. That might give me an indication that my site password was not being well managed.
What should I look for, or what tests can I perform to validate what level of protection a site is using to protect the password I use there?
It can be incredibly difficult (or even impossible) to judge the security of some site without straddling some legal gray areas.
One easy way to test if password managament on a site is awful is if you do a "forgot password" request, and they email you your password in plaintext. That means they are at worst, storing your password in plaintext, and at best encrypting it instead of hashing it (still bad practice).
Other than gaining access to the system (or, of course, asking the developers) you can't really be sure about what methods are being used. They could store your password in plaintext and still not send it in an email. It eventually comes down to trust and using necessary precatuitons (such as unique passwords, or limiting what info you give them).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I don't fully understand how packet sniffing works, but the gist I get from it is that if someone is logged on the same network as you, they can sniff packets for unhashed passwords and... well, that's really enough damage.
The solution, I've read, is to only go on networks that are secure when doing bank stuff, but my issue is that the only secure network I have is a school wide one (dorms). Imaginably, the school wouldn't set up a network so open to password theft, but the only thing I can think of stopping the bad guys is that we log in with our student ID. All they would need is someone else's ID and password and (if my understanding is correct) they could packet sniff pretty much everyone in the hall using the same router without being traced.
Are my fears justified, and if not why? And if so, also why?
Thank you
Speaking generally, you can't sniff transmissions between a client and a bank server since the communication uses public key encryption. That said, SSL is still vulnerable to man-in-the-middle attacks - beware of notices/alerts about unrecognized certificates.
Regarding privacy on non-HTTPS websites, it depends on how your network is set up. If it's a standard WPA2 setup then all of your unencrypted traffic is visible (easily) to anyone who is in transmission range of your computer and has the WiFi password. You can install HTTPS Everywhere from EFF (https://www.eff.org/https-everywhere) which helps secure your communications on many common websites - Facebook, Twitter, etc.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Here's roughly the idea: Alice encrypts a file with key K and gives both to Bob, saying he should only use it to decrypt the file if something happens to Alice. To make sure he doesn't use his key too early, Alice wants to write an algorithm that when Bob tries to decrypt her file, she receives an email, and only if she does not take some action within a certain time (like 48h) will Bob be able to proceed with decrypting the file.
Is such a thing possible at all without a trusted third party?
Not in the negative form you've created. Bob has all the pieces required to decrypt the data. Once you have given a party all the pieces, there is no mechanism by which you can prevent them using those pieces (other than hoping that they will only use your software; security through hope is not a strong authentication). This is much of what escrow services (i.e. trusted third parties) exist to manage, not just in the data world, but the real world.
BTW, when designing security protocols, you probably want to get rid of even thinking in terms of "sends an email." This tends to lead to wrong thinking about the protocol. What you mean is "sends a message to Alice." The fact that the message is encoded as an email is completely irrelevant, and is likely to get you thinking in terms related to email implementations.